ssh2john: add EC AES-256-CBC conversion

[Nothing4You]

No description provided.

[solardiz]

Thank you! This implements some of what #5430 says.

Have you checked whether the resulting "hashes" are currently supported by john? Are they? Were you able to successfully crack a password?

[Nothing4You]

I haven't tested this with John to be honest but I have successfully cracked a hash with hashcat mode 22951 (RSA/DSA/EC/OpenSSH Private Keys ($5$)) that I converted with this.

[solardiz]

Thanks. Can you also test it with John, please?

[Nothing4You]

echo johnjohn > johnpass
openssl ecparam -name secp521r1 -genkey | openssl ec -aes256 -out john.key -passout file:johnpass

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,8F1F99CC6F27C8B23478A3DE6FCEC7D7

exCFTdVbejhAiVLUeeq0gz0D5hZGuwqttBj5WJGGLe84acBEMFgmf7q0N4KGyju+
MNhc2hKTQJUJjcEGRDV4AGImdgphX5VdE+dC8G2nYtaCmCpUIr/11LzcMh0mn1KT
fTB324MT9w/WYjj+kNFl9f1T+DlVQnS4Hjs9LTuw7grZJAL3lODLIKpO47oqqiYV
CwhHeG3U8gQh6t6AmgaIhnaVON5/yLu3P9qyr08mzw8OarcHTFDe+8cBFMpMGz7o
Pk+nL6Lzx10SAxF50fMzwtng0nASExOva9JCO7gU2HM=
-----END EC PRIVATE KEY-----

# patched version from this PR
python3 ~/john/run/ssh2john.py john.key > john-hash.txt

john.key:$sshng$5$16$8F1F99CC6F27C8B23478A3DE6FCEC7D7$224$7b10854dd55b7a38408952d479eab4833d03e61646bb0aadb418f95891862def3869c0443058267fbab4378286ca3bbe30d85cda12934095098dc106443578006226760a615f955d13e742f06da762d682982a5422bff5d4bcdc321d269f52937d3077db8313f70fd66238fe90d165f5fd53f839554274b81e3b3d2d3bb0ee0ad92402f794e0cb20aa4ee3ba2aaa26150b0847786dd4f20421eade809a068886769538de7fc8bbb73fdab2af4f26cf0f0e6ab7074c50defbc70114ca4c1b3ee83e4fa72fa2f3c75d12031179d1f333c2d9e0d270121313af6bd2423bb814d873

I'm not sure if I'm doing this right, but it doesn't seem like this is currently working with john:

John the Ripper 1.9.0-jumbo-1+bleeding-207445ab54 2024-12-29 04:12:05 +0100 OMP [linux-gnu 64-bit x86_64 AVX512BW AC]

root@testvm:~/demo# ~/john/run/john -1=john --mask='?1?1?1?1?1?1?1?1' john-hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 3DES/AES 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
0g 0:00:00:00 DONE (2024-12-29 13:15) 0g/s 1092Kp/s 1092Kc/s 1092KC/s jjnnnnnn..nnnnnnnn
Session completed.
root@testvm:~/demo# ~/john/run/john --show john-hash.txt
0 password hashes cracked, 1 left

Hashcat works:

cut -d: -f2- john-hash.txt > hashcat-hash.txt
hashcat -a 3 -m 22951 --keep-guessing -1 john hashcat-hash.txt '?1?1?1?1?1?1?1?1'

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-skylake-avx512-Intel Xeon Processor (Skylake, IBRS, no TSX), 1400/2865 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

ATTENTION! --keep-guessing mode is enabled.
This tells hashcat to continue attacking all target hashes until exhaustion.
hashcat will NOT check for or remove targets present in the potfile, and
will add ALL plains/collisions found, even duplicates, to the potfile.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 0 MB

$sshng$5$16$8f1f99cc6f27c8b23478a3de6fcec7d7$224$7b10854dd55b7a38408952d479eab4833d03e61646bb0aadb418f95891862def3869c0443058267fbab4378286ca3bbe30d85cda12934095098dc106443578006226760a615f955d13e742f06da762d682982a5422bff5d4bcdc321d269f52937d3077db8313f70fd66238fe90d165f5fd53f839554274b81e3b3d2d3bb0ee0ad92402f794e0cb20aa4ee3ba2aaa26150b0847786dd4f20421eade809a068886769538de7fc8bbb73fdab2af4f26cf0f0e6ab7074c50defbc70114ca4c1b3ee83e4fa72fa2f3c75d12031179d1f333c2d9e0d270121313af6bd2423bb814d873:johnjohn
Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 22951 (RSA/DSA/EC/OpenSSH Private Keys ($5$))
Hash.Target......: $sshng$5$16$8f1f99cc6f27c8b23478a3de6fcec7d7$224$7b...14d873
Time.Started.....: Sun Dec 29 13:15:48 2024 (0 secs)
Time.Estimated...: Sun Dec 29 13:15:48 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 john, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2179.7 kH/s (7.11ms) @ Accel:128 Loops:64 Thr:1 Vec:16
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 65536/65536 (100.00%)
Rejected.........: 0/65536 (0.00%)
Restore.Point....: 256/256 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:192-256 Iteration:0-64
Candidate.Engine.: Device Generator
Candidates.#1....: jonhonon -> ojnhjnjn

Started: Sun Dec 29 13:15:45 2024
Stopped: Sun Dec 29 13:15:50 2024

[solardiz]

Thank you very much @Nothing4You! I think we can merge this and deal with support in John as part of #5634.